Cyber spying expands in Iran after cover blown

Boston, August 29, 2012

The scope of a cyber espionage campaign targeting Iran and other parts of the Middle East has widened, even after security experts blew the operation's cover last month, according to the research firm that discovered the Mahdi Trojan.

Israeli security company Seculert said that it has identified about 150 new Mahdi victims over the past six weeks as the developers of the virus have changed the code to evade detection from anti-virus programs. That has brought the total number of infections found so far to nearly 1,000, the bulk of them in Iran.

The decision to keep the operation running implies that Mahdi's operators were not particularly worried about getting caught, said Roel Schouwenberg, a senior researcher with Kaspersky Lab, which has collaborated with Seculert in analyzing Mahdi.

Schouwenberg said that some viruses are designed for stealth because they become useless if they are discovered. He pointed to the Stuxnet Trojan that targeted Iran's nuclear program in 2010. After that customer-built virus was uncovered by a security researcher in Belarus, authorities in Iran discovered it in a uranium enrichment facility that it had targeted.

Mahdi is a "less professional" operation that runs on technology built with widely available software, according to Schouwenberg.

"If the quality of your operation is not that high, then maybe you don't care about being discovered," he said. "But the scary thing is that it can still be effective."

The Mahdi Trojan lets remote attackers steal files from infected PCs and monitor emails as well as instant messages, Seculert and Kaspersky said. It can also record audio, log keystrokes and take screen shots of activity on those computers.

The firms said they believed multiple gigabytes of data have been uploaded from targeted machines.

Targets of Mahdi include critical infrastructure firms, engineering students, financial services firms and government embassies located in five Middle Eastern countries, with the majority of the infections in Iran, according to the two security firms.

The bulk of the new victims were in Iran, which is where most infections have occurred to date, according to Seculert, though a few were identified in the United States and Germany.

The two firms have declined to identify specific victims.

Raff said that he suspects the campaign is being run by hacker activists, or "hactivists," who are either funded by a government or provide information they collect to a nation for ideological reasons. He declined to say which country might be involved.

Seculert and Kaspersky dubbed the campaign Mahdi after a term referring to the prophesied redeemer of Islam because evidence suggests the attackers used a folder with that name as they developed the software to run the project.

They also included a text file named mahdi.txt in the malicious software that infected target computers. – Reuters